diff options
| author |   Kevin F. Quinn <kevquinn@gentoo.org> | 2006-09-01 14:39:52 +0000 |
|---|---|---|
| committer | Kevin F. Quinn <kevquinn@gentoo.org> | 2006-09-01 14:39:52 +0000 |
| commit | 1da91142a97335f3da48e5e1bf457c11512d7163 (patch) | |
| tree | 4854d83116beb36278aaa83ca5ec0baa2f3b552a /app-text/info2html/files/info2html-2.0-xss.patch | |
| parent | New version =app-text/info2html-2.0 masked for ebuild testing (diff) | |
| download | gentoo-2-1da91142a97335f3da48e5e1bf457c11512d7163.tar.gz gentoo-2-1da91142a97335f3da48e5e1bf457c11512d7163.tar.bz2 gentoo-2-1da91142a97335f3da48e5e1bf457c11512d7163.zip | |
bump to 2.0; configure for info dirs more intelligently
(Portage version: 2.1.1_rc1-r1)
Diffstat (limited to 'app-text/info2html/files/info2html-2.0-xss.patch')
| -rw-r--r-- | app-text/info2html/files/info2html-2.0-xss.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/app-text/info2html/files/info2html-2.0-xss.patch b/app-text/info2html/files/info2html-2.0-xss.patch new file mode 100644 index 000000000000..a2254bdbbe2b --- /dev/null +++ b/app-text/info2html/files/info2html-2.0-xss.patch @@ -0,0 +1,61 @@ +diff -u info2html-2.0-orig/info2html info2html-2.0/info2html +--- info2html-2.0-orig/info2html 2006-09-01 14:55:13.000000000 +0200 ++++ info2html-2.0/info2html 2006-09-01 15:05:41.000000000 +0200 +@@ -42,7 +42,7 @@ + + use CGI; + $ENV{'REQUEST_METHOD'} or +- print "Note: I'm really supposed to be run as a CGI!\n"; ++ print "Note: I'm really supposed to be run as a CGI\!\n"; + + #-- patterns + $NODEBORDER = '\037\014?'; #-- delimiter of an info node +@@ -62,7 +62,7 @@ + #--------------------------------------------------------- + # Don't reveal where we're looking... --jonh 5/20/97 (and reapplied 5/4/1998) + sub DieFileNotFound{ +- local($FileName) = @_; ++ local($FileName) = &XssEscape(@_); + #-- TEXT : error message if a file could not be opened + print <<"EOF"; + <html><head><title>Info Files - Error Message</title> +@@ -104,6 +104,28 @@ + } + + #---------------------------------------------------------- ++# XssEscape ++#---------------------------------------------------------- ++sub XssEscape { ++ local($Tag) = @_; ++ #-- output escaping is required to protect browser ++ # against `cross site' and `cross frame scripting' ++ ++ $Tag =~ s/&/&/gs; # ampersand ++ $Tag =~ s/#/#/gs; ++ $Tag =~ s/;/;/gs; ++ $Tag =~ s/[\000-\037\177-\237]/¿/gs; # "ctrl" codes 0-31 and 127-159 ++ $Tag =~ s/</</gs; # less-than symbol ++ $Tag =~ s/>/>/gs; # greater-than symbol ++ $Tag =~ s/"/"/gs; # double quote ++ $Tag =~ s/\240/ /gs; # non-breaking space ++ $Tag =~ s/\255/­/gs; # soft hyphen ++ # the rest is interpreted ++ # as ISO 8859-1 ++ $Tag; ++} ++ ++#---------------------------------------------------------- + # ParsHeaderToken + #---------------------------------------------------------- + # Parses the heaer line of an info node for a specific +@@ -493,6 +515,8 @@ + #---------------------------------------------------------- + sub ReplyNotFoundMessage{ + local($FileName,$Tag) = @_; ++ $FileName = &XssEscape($FileName); ++ $Tag = &XssEscape($Tag); + print <<"EOF"; + <html><head><title>Info Files - Error Message</title> + $BOTS_STAY_AWAY +Only in info2html-2.0: info2html.orig +Only in info2html-2.0: info2html.rej |